[cabfpub] Proposed new ballot on IP Addresses in SANs

Ryan Sleevi sleevi at google.com
Sat Apr 16 16:01:29 UTC 2016


I really want to echo the concerns that Richard and Geoff have raised, and
really push back on the notion that a CA was "forced" to violate the BRs.
That's an extremely bold claim, and if that's the perspective that CAs are
taking - that they're "forced" to violate the BRs if a customer wants
something the BRs prohibit - then that greatly undermines trust in the CA
and whether they are genuinely trying to help make the Internet a more
secure place.

I am particularly troubled by this argument, because as Wayne notes, I
pointed out to you a solution for this in August of 2015, and now it's
April of 2016. You've had 8 months to deploy a solution that's fully
compliant with the BRs - after nearly a decade to discover the behaviour I
mentioned, and nearly five years since the BRs were passed to actually
investigate. This suggests either a lack of creativity on the part of the
CAs doing this to actually look for viable, compliant solutions, a lack of
engineering ability on the part of CAs to actually implement, or a lack of
care towards actually following the BRs. I'd love to know which it is,
because all are troubling.

The argument itself is fairly troubling, especially considering the recent
remarks about wildcard handling. Would you see it fit to issue wildcards
for IP addresses, given that Microsoft CryptoAPI - for preciously the
reasons being discussed in this thread here - inappropriately allows
*.168.0.1 to match 192.168.0.1? Just see
http://www.westpoint.ltd.uk/advisories/wp-10-0001.html if you're not
familiar with those details.

I find the justifications for proposing such a change deeply troubling, and
suggests that some CAs aren't interested in finding technical solutions.
Instead, as Richard has pointed out, it seems some are looking to ignore
the standards they're held to for so long, and so thoroughly, so as to
justify relaxing the standards. And that should be concerning for all
members, especially those who have taken the stance of adhering to the
requirements put forth, potentially at cost to their businesses and
customers.

We simply cannot support a ballot like that proposed, since there seems to
have been zero good-faith effort to actually explore a solution that
doesn't involve violating the BRs, despite having one available for so long.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160416/91b87c7c/attachment-0003.html>


More information about the Public mailing list